I want do define some users by mac address to be blocked using internet and have to be redirreted to my web server with some index text message.
i tried this nat rule:
ip firewall nat add chain=dstnat src-mac-address=00:0E:A6:8C:63:AD protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.3.9 to-ports=80 disabled=no
Define “it doesn’t work” 
What does the user see?
Is your webserver configured to serve any hostname on that ip address (as your webserver will see requests for the address the customers typed in, i.e. things like “www.google.com”, “www.microsoft.com/windows/vista” etc.).
You have to run a webserver on a dedicated ip address (no name based virtual host!) which has a start page and a 404 error page stating your message basically…
Best regards,
Christian Meis
thx for answer, cmit, but still i have problems.
“Define “it doesn’t work”” no redirrection made by mikrotik - user machine resolves google.com and always tring to connect 72.14.207.99 on port 80. i see with a firewall on my web server, that user is tring to connect, and my server is sending some reply, but nothing happens.
i have configured no name virtual host this way:
<VirtualHost *:80>
ServerAdmin dodger@192.168.3.9
DocumentRoot /www/htdocs
ServerName *
ErrorLog logs/dummy-host.5inch-error_log
CustomLog logs/dummy-host.5inch-access_log common
and have created access file with error document 404
is it correct? and what i do wrong?
Put the rule above your masquerade rule
it is already there
anyone? need help.. 
use ip instead mac. Make a rule to add ip address to an address list by mac (if mac=… add src-address etc)
and make a drop rule too
(if dst-address!=your web server and dst-port!=80 drop)
its not working for me … the same problem .. i just put the web-server ip address .. and no redirection !!!
when i type the server ip : port directly in the user explorer address bar its working … but not working from the firewall !!!